In my ASP web page I am displaying SSN number
" name ="txtSSNID" size ="20">
The Fortify Developer tool detects this as error. How can I fix this issue.
I need to display the SSN Number but the thing is it should not caught while testing in Fortify developer tool for security violations
I am not sure exactly what you want? but like Creidt card numbers cant you just show few 'X' and the last few letters?
Michael,
There are a few ways you can deal with this problem:
Talk to your product manager and arrange for an exception from PCI compliance, or get approval from him to apply an output mask to this data. Like replace 123-11-1234 with 12X-XX-XXXX for display.
If you do need to display the value, use SSL and request the user's login credentials a second time immediately before showing the SSN.
If you really need to make Fortify stop displaying the error, you can click on the red X in Fortify Audit Workbench to suppress the finding. For this you are going to want to obtain approval from your security auditor.